The following was published in todays edition of Seacoast Sunday and on Seacoastonline.com.
Unless you have had your head in the sand, you know Yahoo has announced another data breach and this one is more massive than the last. That in and of itself is pretty hard to fathom.
In September, Yahoo announced 500 million user accounts had been breached. This week’s announcement is for an additional one billion, that’s 1,000,000,000 breached user accounts! That is 1.5 billion breached user accounts for a site that claims one billion users a month. Yahoo now owns the bragging rights for the worst cyber-security events in the history of the public Internet.
What’s worst, this breach happened in August 2013, which means the hackers have had this information for three years. The breached accounts have likely been for sale on the dark web and if you have been the victim of identity theft in the last three years and have or had a Yahoo account, this could be how it happened.
So, the $1.5 billion question (sarcastic as it may be) is what should you do? If you have a Yahoo account and don’t actively use it, close it. Just get rid of it. If you do have a Yahoo account, change your password, even if you have recently done so. You can never change a password often enough. Do not use a simple or short password. Create a password that is a minimum of 12 characters in length and use a mixture of letters, both upper and lower case, numbers and symbols. Even better, use a passphrase, a sentence in place of a single word. Include spaces, just as if you typed it out on paper and still switch out some letters for other characters. Yahoo does offer limited two-factor authentication, so use it. It will help further protect your user account. Also, don’t use this password for any other online account. Every account should have its own, unique password, so that if any single site is breached, you only have to worry about security that one account.
What’s unique about this breach is that hackers didn’t just get the username and password, they also got the account security questions and their answers, making it even easier for the hacker to impersonate the actual account owner.
As a result of this coming to light, you may expect to see an increase in phishing email offering to help you secure your accounts or looking for more information. All this is designed to trick you into revealing more about you to the hacker. Don’t fall victim to these follow on hacks. Only take action that you initiate, never in response to an electronic request.
Many experts are also recommending blocking access to your credit report as a further mechanism to ensure your identity remains secure. It’s a prudent step as one of the main outcomes from a hack like this is hackers trying to open credit card accounts in your name.
The ramifications of this latest announcement will become clearer in the weeks ahead. It’s likely that Yahoo will see an exodus of users who have lost confidence in the company’s ability to keep its users secure. Many online companies will be watching the fallout as the implications are very broad reaching. As well, Yahoo’s acquisition by Verizon is surely in jeopardy. The previously announced $4.8 billion dollar acquisition is either on the brink of falling apart of Yahoo will be forced to accept a much lower price if they want to save the deal. The potential liability to Verizon is too large to ignore.
Just who hacked Yahoo is still not clear and may never be. The company has suggested it may have been a foreign state actor. With all the current talk about other nations hacking in to various U.S. systems, this may in fact be the case. It may also be a convenient excuse to draw attention away from the lax security controls that Yahoo has been accused of. Time will tell. For now, one thing is for sure. This should be a loud and clear warning to everyone that you must not take your online account security for granted. You must take steps that I and others have been recommending for years, to secure your accounts. Be safe online!